$arr_19 ), array( 3, false, $arr_20, $arr_24 ), array( 2, false, "\" />", $arr_25 ) ) ); ?> $arr_27 ), array( 3, false, $arr_28, $arr_30 ), array( 2, false, "\" />\n\n", $arr_31 ) ) ); ?> array( 2, false, false, $arr_9 ), array( 4, $arr_10, "if", $arr_245, $arr_248 ), array( 2, false, "\n", $arr_249 ) ) ); ?> rr_466 ), array( 4, $arr_467, "if", $arr_482, $arr_484 ), array( 2, false, "\n", $arr_485 ) ) ); ?> Mail Theft Possible from GroupWise Web Interface » Linux Magazine
 

Mail Theft Possible from GroupWise Web Interface

Feb 02, 2009

Security tester ProCheckUp has found critical bugs in Novell's GroupWise WebAccess that could allow e-mail theft.

The possible attack on the Web-based groupware stems from cross-site request forgery (CSRF) in which a forged HTTP request configured in the software under the user's authentication can send a new rule to mail forwarding (CVE-2009-0272). The attacker could then forward the user's mail to an account of the attacker's choice. To fall into this trap, the user needs only visit a website, click a link or open HTML mail prepared with the attacker's CSRF. With the new rule in place, the user could face a perpetual security threat.

ProCheckUp will release details of the sample attacker code (or "proof of concept") only after consulting with Novell and having a resolution on hand.

The security hole affects GroupWise versions 6.5x, 7.0, 7.01, 7.02x, 7.03 and 8.0. Novell has issued patches on its support website, at least for version 7.x and later. For end-of-life version 6.5x an upgrade is required to 7.03 or 8.0.

ProCheckUp also found two attack windows for cross-site scripting (XSS) in the above-mentioned GroupWise versions. An attacker can slip scripting code into HTML mail or attachments that could inflict (in the first case) temporary or (in the second case) permanent harm, with possible identity theft (CVE-2009-0273). Novell has also posted two separate hot patches (first and second) for these bugs on their support site.

comments powered by Disqus

Issue 152/2013

Tag Cloud

Bruce Byfield Gnome KDE Kernel Linux Linux Pro Magazine Open Source Projects Red Hat Ubuntu events foss free software google

News